Inter-Vlan ACL

Hi all

I'm having some trouble getting the ACL work they way I want. I have a lot of clients in differnet VLAN (vlan 6-10) and my ASA (10.1.99.254) on vlan 99 for internet access. I need VLAN 6-10, to have access to the ASA for internet, but VLAN 6-10 should not have access to the other. For the moment, I do apply the access group of rules in the directon out on the vlan 6 SVI.

VLAN 6-10.2.1.0/24

VLAN 7-10.2.2.0/24

VLAN 8-10.2.3.0/24

VLAN 9-10.2.4.0/24

I tried

10 permit ip 10.1.99.254 0.0.0.255 10.2.0.0 0.0.255.255

20. denying a whole

I could do a ping of the ASA and made was not able to access the other vlan. However, I also don't no matter what internet access. DNS responses are not passed without traffic ICMP passed the ASA.

The switch is a 3560G

Any help would be appreciated.

Robert

The acl should not prevent the devices in the same vlan talk to each other, it will stop devices outside of this vlan only so what you see is not good.

Regarding your general question, usually you use inbound ACL on the source rather than outgoing ACL on the destination VLAN vlan. You can use either but blocking the packets at the source is the most common approach.

So if I understand correctly, you need to block all traffic between any vlan 10.2.x.x/24 subnet?

If so and you are not bothered on the specification of the source IP subnet in each acl.

extended IP access list

deny ip any 10.2.0.0 0.0.255.255

allow an ip

int vlan 10

IP access-group to

So let's say vlan 10 is 10.2.5.0/24. What the foregoing, block any package from clients in the vlan 10 with a IP address of destination of 10.2.x.x. All other packets will be allowed. This same acl could apply to all L3 10.2.x.x VLAN interfaces.

Note that, in the acl, I used the source of everything rather than "10.2.5.0 0.0.0.255. This is because with 'all' the same acl could be applied to all the 10.2.x.x VLAN entering without any modification. You can if you want to be more specific to a specific acl for each vlan that is to say. for the same example above.

extended IP access list

deny ip 10.2.5.0 0.0.0.255 10.2.0.0 0.0.255.255

IP 10.2.5.0 allow 0.0.0.255 any

It would be more specific and would stop to any client no 10.2.5.x on this vlan to send packets, but most of communication would not work in all cases that the return should not would be routed packets properly to the customer. But like I said this makes the unique acl to the vlan specific so you would need different ACLs by vlan.

A few additional points-

(1) if clients use DHCP and the DHCP server is a 10.2.x.x device that you need to allow that, before the line to deny

(2) customers will not be able to ping to their default gateway, that is to say the interface vlan L3. This isn't a problem because the destination IP address is never usually the interface vlan L3, but if you want to be able to do you need an online permit before the line to refuse. Also note that this means that your acl would be different for each vlan, IP because of the vlan L3 is different by vlan

(3) If you use the same real acl for each interface vlan all hits on the acl will be for all the VLANS so you will not be able to see visits by vlan. This may or may not be important to you. Often, this is why you see unique ACL (in terms of number or name but not necessarily input) use. If you do not want to see the visits by vlan and then simply to reproduce the acl, but with a new name by acl (assuming that you go with the ability to use 'everything' in your ACL).

Hope all that makes sense. Doubts please ask for more.

Jon

Tags: Cisco Network

Similar Questions

Restricted Inter-VLAN with SG200-26 and SG300-10 routing

Hi all

My apologies if this has been covered elsewhere.

My organization would like to organize a LAN game activity. The installation program I have in mind involves a switch 24 ports to connect all computers in player and saw that the switch connected to a smaller 'core' which has the connected the router and game server. I would like to know if I can put things up as follows...

SG200-26 with 1 to 24 ports on VLANS separated so they can talk to eachother. I'd then ports 25 and 26 to be a trunk aggregated (for bandwidth and redundancy) port to carry all 24 VLAN more an additional management VLAN (VLAN 100 e.g.) that will be used to access the switch. I want these aggregated trunk ports to connect to a 'core' SG300-10 switch that is connected to the game server and a router for internet access.

I would like to than the possibility of having two network connections of the server to the switch, one on the management of VLANS and the other on a VLAN different (e.g. 50 VLAN) which will be accessible by players (ports 1-24 of SG200-26). The power switch needs to be able to perform routing inter - VLAN restricted, because it does not VLAN 1-24 of eachother talk but they can talk to VLAN server, but only through specific service ports (e.g. 12345, 12346 port). Is this possible?

Also how I configure the SG300-10 to enable the VLAN 1-24 of VLAN 50, but not to talk or VLAN 100. So, I will probably have the router on its own LAN VIRTUAL (VLAN 60 ex.) and allow for VLAN 1-24 for access, but only via HTTP port 80 for web access.

What do you think?

Thank you.

Hi Marc, the default gateway of the computers will be the SVI to the switch.

Router-> couche3-> SG300 layer 2 SG300

router is 192.168.1.1

VLAN 1 in 300 SG is 192.168.1.100

2 VLAN on 300 SG is 192.168.2.1

SG300 layer 2 has a 1u, 2 t trunk.

My computer to connect to an access port 2 unidentified on the layer 2 SG300.

I am able to ping 192.168.2.1

I am able to ping 192.168.1.100

I can not 192.168.1.1 pnig

The reason is that the router has no idea on this subnet so cannot send the package to the source 192.168.2.x subnet.

The ACL and the basic connection are 2 different animals. The ACL is to prevent intervlan communication. The basic connection must be tags trunk and vlan or static routes.

-Tom
Please mark replied messages useful

SG 300 - Inter VLAN

Salvation of the forumers

My problem statement

a. how to let a single switchport to transport the vlan voice and data of vlan?

say I had create and configure the vlan (20) voice and data of vlan (10)

first of all, I do like this (join the voice vlan.png)

What should I do

A1. Management port for VLAN, VLAN

(define the interface as General, but then should I check PVID, tag or remove the brand?)

A2. Management VLAN-VLAN to the Port

(is it leaves vlan 10 and vlan 20 to join the switchport?) (Attach it VLAN to Port.png)

b. is this done switch "ip Routing" for inter routing VLAN?

say I create him VLAN, assign the IP address of the virtual interface for it. Have to do to activate routing inter - VLAN?

I have check the static route only switch IPv4, is that it need a manual to create the static route to reach subnet each VLAN?

can c. that be NTP server?

Thank you

Noel

Hello!

a. create a vlan 10 (data) and vlan 20 (voice). Set the switchport where you have an IP phone that is attached to the Trunk mode (management of Vlan-> settings of the Interface). Administrative PVID of the port should be 10. Go to the management of VLAN-> a Port VLAN membership, select the switchport and click Join VLANS. In the right column, you should have '10UP' (VLAN 10 Untagged, PVID: 10). In the left column select 20, labelling must be tagged, click the right arrow button to add 20 VLAN Tag to the port and click on apply.

These settings will make switchport transfer VLAN10 traffic (data) as non-identified and VLAN20 traffic as added to the phone the voice. In each case, your phone, if it has a PC in the Appendix must be configured for voice traffic with the tag VLAN20 tag and move unidentified to the PC data traffic. Voice of preserve settings VLAN as shown on the screenshot - he let the switch to assign the optimal settings of QoS for traffic vlan voice.

b. If you have the latest firmware installed routing Inter VLAN is enabled by default. Simply create interfaces SVI (assign an IP address to the VIRTUAL local area network interface) and if you have at least a host connected to the switchport member of the VLAN, the road to this subnet will automatically appear in the switch routing table. If you have multiple VLANs with the affected IP addresses and hosts active on these VLAN - all these networks appears in the table of routing as being directly connected and hosts all the VLANS will be able to communicate with each other. You must restrict the Inter-VLAN communication - use IP ACL.

c. No, the switch can be SNTP client only.

Catalyst 6500 Inter-VLAN routing

I have a Cisco 6500 switch and I have a question about routing inter - vlan and the command "IP ROUTING". I use dial-up virtual interfaces (I.e. int vlan 2, int vlan 3, etc.), but I noticed that I don't have the IP ROUTING enabled on my switch but I can route properly between the VLANS. I have even a little ports that I have configured with the command "no switchport" and I assigned an IP address to these ports. On routed ports, there is another switch on the other side configured with an IP address and I am able to ping and route traffic to the other network.

I did some research on this and all the documentation I am able to find talk of how you must enable IP ROUTING to route between the VLANS. I guess that this should only be done if you go to the road to other not directly connected networks.

http://www.ccnpguide.com/CCNP-switch-642-813-inter-VLAN-routing/

http://www.Cisco.com/c/en/us/TD/docs/iOS-XML/iOS/lanswitch/configuration/12-2Sx/lsw-12-2Sx-book/lsw-VLAN-cfg-RTG.html#GUID-F5181D47-F44E-4F01-92E4-9132097BA333

Can someone clarify this for me?

For the 6500 Series, IP routing is enabled by default, that so all VLAN can communicate with each other. You don't need to activate as you do for other switches (IE 3560, 3750, 3850, etc...)

HTH

RV220W Inter VLAN firewall rules

Hello

I just bought RV220W Cisco router for our branch to replace Zywall 2 Plus. Update to the latest firmware 1.0.5.8 device.

I tried several different setting, but can not solve simple inter configuration of VLAN, that ZyWall resolves in a few clicks.

I have a simple task: I need two VLAN isolated on my network (VLAN 1: 10.1.2.1 and VLAN10: 192.168.2.1). No movement between them VLAN is allowed. I have to configure several exceptions:

1.) access of VLAN1 to Server (192.168.2.40) from VLAN10 port 3389 (RDP).

2.) VLAN10 access to a network printer (10.1.2.10) on port 9100 VLAN1.

I tried several settings and configurations of firewall that does not work.

I tried inter VLAN (VLAN-VLAN) rules to block all traffic except permitted, but these rules don't change anything. I have full access to one VLAN to another and vice versa.

I tried to disable routing inter VLAN, which solve my task of isolation, but firewall interVLAN rules does not work for exceptions, I need.

Thanks for all your help in advance.

Hello

For this configuration, you must first uncheck InterVlan routing for both VLAN (network > LAN > belonging to a VLAN). Also make sure that the ports are propely configured-tag/Untagged/excluded

After that, he must create access rules 2 (Inter MELANIECARDENES (VLAN - VLAN))

-from Defaul to VLAN10 - always allow - Source all - Destination 192.168.2.40

-Since VLAN10 to Default - always allow - Source all - Destination 10.1.2.10

There is no need to create rules to block, as it is by default and interVLAN routing is not enabled.

If with this configuration you still do not have access to the server and printer, you can use Administration - diagnosis - capture the packets and Wireshark to track if the packets are routed properly through VLANs and where the string stops.

Kind regards

Bismuth

RV042G router - Inter VLAN

RV042G router - Inter VLAN:

Is this router supports 802. 1 q? Or do I have to connect to a router port by VLAN?

for example. If I have 2 VLANS configured on a SINGLE SWITCH, do:

(a) TRUNK VLAN switch and plug a port on the ROUTER?

(b) connect a port on the ROUTER to VLAN1 and another port to VLAN2?

Thank you

Henrique

Hello Henrique,

The RV042G is not compatible 802. 1 q Trunking, so you would need a VIRTUAL local network connection.

According to the switch, you may need to disable the tree covering both to make multiple connections to the same router work.

Hope that helps,

Christopher Ebert - Advanced Network Support Engineer

Cisco Small Business Support Center

* Please note the useful messages *.

No SG300-52 routing inter - VLAN

Hello

I have a base on this SG300-52 configuration:
- L3 is enabled
- Latest Firmware is installed (1.4.0.88)
- Vlan1 IP is 10.0.0.1/24
- A PC is connected to port 1 (with IP 10.0.0.3)
- VLAN99 IP is 192.168.0.2/29
- A router is connected to the 49 port (with the 192.168.0.1 IP address and Internet access to the router is OK)
- On SG300-52 default gateway is 192.168.0.1
The SG-300:
- I can ping the default gateway (192.168.0.1) and any Internet address, using 192.168.0.2 as address IP Source
- I can't ping the default gateway (192.168.0.1) or any Internet address, using 10.0.0.1 as address IP Source
- I can ping my PC (10.0.0.3), using 10.0.0.1 as the IP Source address
- I can't ping my PC (10.0.0.3), using 192.168.0.2 as address IP Source
There is no routing inter - VLAN, but I can't find how to activate...

The complete configuration is the following:

#show run SG300-52
config-file-header
SG300-52
v1.4.0.88 / R800_NIK_1_4_194_194
CLI v1.0
router adjustment system mode

SSD of encrypted file indicator
@
SSD-control-start
config of SSD
control of password file unrestricted SSD
no control of the integrity of the file ssd
SSD-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
database of VLAN
VLAN 99
output
Add a voice vlan Yes-table 0001e3 Siemens_AG_phone___
Add a voice vlan Yes-table 00036 b Cisco_phone___
Add a voice vlan Yes-table 00096e Avaya___
Add a voice vlan Yes-table 000fe2 H3C_Aolynk___
Add a voice vlan Yes-table 0060 b 9 Philips_and_NEC_AG_phone
Add a voice vlan Yes-table 00d01e Pingtel_phone___
VLAN voice Yes-table add Polycom/Veritel_phone___ 00e075
Add a voice vlan Yes-table 00e0bb 3Com_phone___
Hello interface range vlan 1
hostname SG300-52
username privilege 15 c464af817287343305cbd6493c593885695df531 encrypted password cisco
property intellectual ssh server
Server SNMP Server
The telnet server IP
!
interface vlan 1
the IP 10.0.0.1 255.255.255.0
no ip address dhcp
!
interface vlan 99
name WAN
IP 192.168.0.2 255.255.255.248
!
interface gigabitethernet49
switchport mode general
VLAN allowed switchport General add 99 unidentified
switchport General pvid 99
!
output
Default IP gateway 192.168.0.1

You have an idea on the issue?

Thanks in advance for your help.

Hi Anthena1390

My email is [email protected] / * /. When you reply to the email can let me know which devices need to communicate on VLAN 99. Is there a major reason for SG300 happen DHCP assumes that your router? Well I would like to add a few screenshots, they will show you how to properly set up a P2p link, assign DHCP pools, how to correctly add default routes. Send an email and lets get your problem is resolved.

RV180 router: impossible to get Inter-VLAN routing to work.

I've been hit in this now for two days and just can't get Inter-VLAN routing to work on this router.

Here is the place is:.

Updated to the latest firmware of Cisco (1.0.1.9).
From default settings, I added 2 VLAN as follows:

VLAN (id = 1) default: dhcpmode = port IP=192.168.1.1/24 from server 1
VLAN vlan2 (id = 2): dhcpmode = port IP=192.168.2.1/24 from Server 2
VLAN vlan3 (id = 3): dhcpmode = port IP=192.168.3.1/24 Server 3

(without link)
WAN port
|
Routing/NAT
|
--------------------------------------
VLAN ip 192.168.1.1 192.168.2.1 192.168.3.1
name of VLAN by default vlan2, vlan3
VLAN id ID = 1 ID = 2 ID = 3
Inter-VLAN only routing Yes Yes
Excluded excluded unidentified 1 port
2 excluded excluded Untagged port
Port 3 unmarked excluded except
Port 4 (not interest) without excluded tag excluded
--------- -------- --------
1 2 3 Port port
| | |
AdminPC PC3 PC2
192.168.2.191 192.168.3.181

PC2 is assigned an IP address of 192.168.2.191 (DGW = 192.168.2.1) - OK
PC3 is assigned an IP address of 192.168.3.181 (DGW = 192.168.3.1) - OK

(IP 192.168.2.191) PC2 can ping 192.168.2.1 and 192.168.3.1 - OK
(IP 192.168.3.181) PC3 can ping 192.168.3.1 and 192.168.2.1 - OK

BUT...
PC2 cannot ping PC3 - don't DO NOT WORK
PC3 can not ping PC2 - don't DO NOT WORK

(does not work in gateway and router Mode)

CAN SOMEONE HELP ME UNDERSTAND WHY?

Your help is very appreciated.

I bought this unit specifically because she supported routing inter - VLAN!

Vlaminck

---------------------------------------------------------------------------

Support information:

Screenshots:
Belonging to a VLAN:
VLAN ID Description Inter VLAN device Port 1 Port 2 Port 3 Port 4
Routing Mgment
1 default disabled enabled unmarked excluded excluded unlabeled
2 active active VLAN2 excluded unmarked excluded excluded
Unmarked 3 VLAN3 active active excluded excluded excluded

Several subnets VLAN:
VLAN ID IP address Subnet Mask DHCP DNS Proxy Mode status
1 192.168.1.1 255.255.255.0 DHCP Server enabled
2 192.168.2.1 255.255.255.0 DHCP Server enabled
3 192.168.3.1 255.255.255.0 DHCP Server enabled

Routing table (Bridge Mode)

Destination Gateway Genmask Metric Ref use Interface Type flags
127.0.0.1 127.0.0.1 255.255.255.255 1 0 0 static lo upward, gateway, host
192.168.3.0 0.0.0.0 255.255.255.0 0 0 0 dynamic bdg3 to the TOP
192.168.2.0 0.0.0.0 255.255.255.0 0 0 0 dynamic bdg2 upward
192.168.1.0 0.0.0.0 255.255.255.0 0 0 0 static bdg1 to the TOP
192.168.1.0 192.168.1.1 255.255.255.0 1 0 0 static bdg1 upward, gateway
127.0.0.0 0.0.0.0 255.0.0.0 0 0 0 lo dynamic

Routing table (router Mode)

(Ditto)

Hello

It's not because the pings are allowed on the same subnet that they come from a different subnet.

You probably have a firewall problem windows software because that by default, it removes a different subnet icmp echoes.

Concerning

Alain

Remember messages useful rate.

Problem with routing inter - VLAN... How to solve it?

Hi all.

I have a WRVS4400N in my office to have a VPN with our main customer and also to manage the entire network of small size.

In two weeks, more or less we will change our office somewhere else, merge two in one.

At its new location, we will have two different ADSL connections, and we will keep our separate LAN to the other LAN.

The goal is to interconnect the two local networks in order to 'see' the machines on one local network to another, but keep the two local networks with their current configuration, subnet, etc..

To achieve this, I created a new VLAN on the router and I have attached only port4 to this VLAN.

As you can see, VLAN main has its own/24 subnet (10.148.145.0/24) and dhcp enabled (for addresses on my LAN) while the new VIRTUAL local network has its own 24 subnet too (10.0.0.0/24) but with the disabled dhcp (is a different LAN with its own DHCP server).

VLAN 1 use ports 1-3 and VLAN 2 use the single port 4.

Of course, I enabled routing inter - VLAN:

To emulate the future scenario, I connected a router with an Internet port 4 with IP:10.0.0.2, and I therefore two different local networks.

Well, the reality is this:

-From my PC connected to the VLAN1 I have an IP address (assigned by my Cisco) and I see all my VLAN and I see 10.0.0.1 too (IP of the router on VLAN2), but I don't see any more (pings to 10.0.0.2 didn't answer). I can access Cisco router to 10.0.0.1 and 10.148.145.97.

-My PC connected to the VLAN2 I have an IP address (assigned by the other router on 10.0.0.2), I see only my VLAN (10.0.0.0/24 IPs). I can access only Cisco router to 10.0.0.1.

How can I do to enable these two VLANS to 'see' each other?

How can I control access to the WAN port? I don't want machines to VLAN2 accessing internet through our router.

Thank you and best regards!

Hello Francisco,.

In router mode gateway mode switch will turn off the NAT on the router. Which will allow to the vlan 2 does not to get out to the internet but also vlan 1 and which is not what you want. You may be able to create access rules and deny rules for not being able to get out of the internet... may create some default of the rules of the road as 0.0.0.0. Also, you may be able to create internet air to stop a certain subnet that it is able to get out of the internet as well.

Regarding the VLAN talk to each other, everything looks good, routing inter - vlan, it is allowing the two VLAN to talk to each other and which is activated. What your default gateways are installed on devices you are testing? As long as default gateways on your PC and devices are pointing to the routers ip/gateway address, you should be good to go at this point.

VLAN 1: default gateway should be 10.148.145.97

VLAN 2: default gateway must be 10.0.0.1

Other than that everything seems to be implemented correctly based on the images. The VLANs that you put in place on the ports are correct.

Let me know your devices are configured on the rise and will go from there.

Hope this helps,

Thank you

Clayton Sill

Inter vlan routing on a Cisco SF 300-24 port switch only no internet except when scanning with wireshark

Hello

I'm get inter vlan routing to work on a 300-24 ports switch DF.    I have a network of business existing on 192.168.111.0 and want to create a vlan on 192.168.1.1 which can talk to 192.168.111.0.    I activated the layer 3 routing on the switch through the console and also provided ip routing commands. I have the following VIRTUAL networks:

Vlan1 - default 192.168.111.0

VLAN2 - 192.168.1.0

I turned on DNS and provided my two servers DNS 192.168.111.82 & 192.168.111.212.

I updated the VLAN1 interface 192.168.111.217 and VLAN2 interface 192.168.1.1.

The FE1 - FE15 ports are access ports and assigned to VLAN1 (unidentified)

FE16 - FE24 ports are access ports and assigned to VLAN2 (unidentified)

I put a default route for the switch to 0.0.0.0 0.0.0.0 192.168.111.254 (router Draytek 2600). I have connected a computer (A) at the port of VLAN1 FE3 and a computer (B) to VLAN2 FE16 port.   I put its IP address and computer default gateway has to 192.168.111.217 to 192.168.111.94.    I updated computer B default gateway 192.168.1.1 and 192.168.1.2 IP.

Computer A has access to the Mdaemon Server files via the network grows but no internet (cannot ping google) and can ping computer B and RDP on computer B.

Computer B can ping computer A and RDP on A computer but do not have access to the company network i.e. MDaemon, file server etc.   It can also access the internet.

The console I can ping www.google.co.uk and all the ip addresses in the network of the company i.e. 192.168.111.82 (DNS server).   I do not understand what I am doing wrong and have been banging my head for staretd a few days a new job and desperately need to work so any help would be greatly appreciated

If I have computer scanner a wireshark wirh internet starts working wheird!

Show the configuration below:

switch7c0a71 #show run

database of VLAN

VLAN 2

output

Add a voice vlan Yes-table 0001e3 Siemens_AG_phone___

Add a voice vlan Yes-table 00036 b Cisco_phone___

Add a voice vlan Yes-table 00096e Avaya___

Add a voice vlan Yes-table 000fe2 H3C_Aolynk___

Add a voice vlan Yes-table 0060 b 9 Philips_and_NEC_AG_phone

Add a voice vlan Yes-table 00d01e Pingtel_phone___

VLAN voice Yes-table add Polycom/Veritel_phone___ 00e075

Add a voice vlan Yes-table 00e0bb 3Com_phone___

interface vlan 2

IP 192.168.1.1 255.255.255.0

output

interface vlan 1

IP 192.168.111.217 255.255.255.0

output

IP route 0.0.0.0 0.0.0.0 192.168.111.254

interface vlan 1

no ip address dhcp

output

Hello interface range vlan 1

hostname switch7c0a71

No complexity of passwords allow

No server snmp Server

interface fastethernet1

switchport mode access

output

interface fastethernet2

switchport mode access

output

interface fastethernet3

switchport mode access

output

interface fastethernet4

switchport mode access

output

interface fastethernet5

switchport mode access

output

fastethernet6 interface

switchport mode access

output

interface fastethernet7

switchport mode access

output

interface fastethernet8

switchport mode access

output

interface fastethernet9

switchport mode access

output

interface fastethernet10

switchport mode access

output

interface fastethernet11

switchport mode access

output

interface fastethernet12

switchport mode access

output

interface fastethernet13

switchport mode access

output

interface fastethernet14

switchport mode access

output

interface fastethernet15

switchport mode access

output

interface fastethernet16

switchport mode general

VLAN allowed switchport General add 2 unidentified

output

interface fastethernet17

switchport mode general

VLAN allowed switchport General add 2 unidentified

output

interface fastethernet18

switchport mode general

VLAN allowed switchport General add 2 unidentified

output

interface fastethernet19

switchport mode general

VLAN allowed switchport General add 2 unidentified

output

interface fastethernet20

switchport mode general

VLAN allowed switchport General add 2 unidentified

output

interface fastethernet21

switchport mode general

VLAN allowed switchport General add 2 unidentified

output

interface fastethernet22

switchport mode general

VLAN allowed switchport General add 2 unidentified

output

interface fastethernet23

switchport mode general

VLAN allowed switchport General add 2 unidentified

output

interface fastethernet24

switchport mode general

VLAN allowed switchport General add 2 unidentified

output

interface vlan 2

name of development

output

Hi Richard,

43 - permit Protocol: any / all

42 - Protocol deny EVERYTHING 192.168.2.0 0.0.0.255-> to 192.168.111.0 0.0.0.255

41 - Protocol to deny ALL 192.168.111.0 0.0.0.255-> to 192.168.2.0 0.0.0.255

40 allow the RDP Protocol TO ALL

etc.

To block everything, including MSSQL, with the exception of the RDP and other ports that you defined above. The other defined are simply not the RDP Protocol and service work?

Richard, do note useful messages and identify the right answers.

Best,

David

RV110W inter-VLAN-routing is not possible

In Cisco RV110W, I set up 2 VLANS, a 192.168.1.xxx (Green Net) and the second with only a fixed address 192.168.2.100 192.168.2.xxx (Server), which is configured in the DMZ area. I enabled in Cisco "inter-VLAN-Routing", described "routing between separate VLANs on Cisco RV110W" I can Ping the server in a direktion, the other I got an error. It is just expected and ok! All other abilities expected work well!

Now, I want to see the Green network server. (firewall on the server is off)

I configured the network/router with exactly the values of the index and has been an error: "destination LAN IP may not be the same as the router's IP subnet.

Sorry, I don't understand this. Can anyone help?

Thank you in anticipation

Anton

If I understand correctly, you have a second vlan, 192.168.2.x. The RV110W is a member of this subnet so that's why we do not have a static route for something that the router knows that she welcomes this subnet.

-Tom
Please evaluate the useful messages

EMS 2010 routing problem inter vlan

OK, back to the base, I tried to install complicated things that did not work so now, I'm leaving the base.

I am trying to configure my SGE2010 48 ports Gigabit cisco / switch for routing inter - vlan.

so far, I put the mode switch layer 3 from the telnet console and rebooted, it.

entered the interface web and changed the ip of the vlan by default management 192.168.2.3

added the vlan 70 and vlan bridging 180, section of mangement of vlan

under the IP, IPv4 interface address, I've added the IP address for each virtual local area network as follows:

IP Interface Mask

192.168.70.3 255.255.255.0 VLAN 70

192.168.180.3 255.255.255.0 VLAN 180

then I went in transition, management of VLANs, vlan to the port:

set the port g1 get access to the vlan 70

sets the g2 as an access port for vlan 180

connected A computer to port g1 with static IP 192.168.70.200 mask 255.255.255.0 Gateway 192.168.70.3

connected computer B to port g2 with static IP 192.168.180.180 mask 255.255.255.0 Gateway 192.168.180.3

I'll then in the routing static routing: I see the 192.168.70.0 destination IP address 24 as a type of local railway and even for 192.168.180.0 24 as the type of local railway

on a computer, I ping the gateway 192.168.70.3 and it works

on computer B, I ping the gateway 192.168.180.3 and it works

problem is that they cannot ping each other, windows firewall is disabled on both computers.

If I do a tracert on any of the computer he reach the gateway by default but then expire on the second jump.

any suggestions what I could have done wrong and the solution to the problem would be appreciated.

Edit: Here's the running configuration if it helps:

Cisco-SGE2010 # show running-config

database of VLAN

VLAN 70 180

output

g ethernet serial interface (1.26)

switchport access vlan 70

output

interface ethernet g2

switchport access vlan 180

output

interface vlan 70

printer name

output

interface vlan 180

name wireless

output

interface vlan 1

IP 192.168.2.3 address 255.255.255.0

output

interface vlan 70

IP 192.168.70.3 255.255.255.0

output

interface vlan 180

IP 192.168.180.3 255.255.255.0

output

Cisco-SGE2010 hostname

location of the Server SNMP here

SNMP Server contact me

Cisco-SGE2010 #.

If you can test both the interface switches the routing works correctly. You need to maybe turn off the Windows Firewall or open the firewall to allow ICMP to a different subnet. Windows Vista and 7 by default will block ICMP from any other subnet then their own.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - security

Problem of trunking routing\802.1 Q inter - VLAN SGE2000P - Cisco 2821

I am to evaluate the EMS and is unable to get routing inter - VLAN to work on aid and the external router via a 802. 1 q trunk. I have a 2821 with 3 secondary interfaces and I use the VLAN 1 as the VLAN native. G0/0 on router is connected to the port of G1 to the port of the EMS. I can create a VLAN and devices in the VLANs can reach devices in their VLAN respective, but they can't get the router IP address to access the other subnets. Currently I have the port connected to the configuration of the router, as a trunk by using VLAN 1, which is not marked. The EMS has the latest firmware and I tried some types of access ports, general & trunk, changed the PVID, nothing has worked for the other ports on the switch. What would have taken two minutes on a Cisco Configuration switch left flabbergasted me, it could be a defective switch? I was not able to find documentation or examples of this configuration scenario.

For reference, config the router interface:

G0/0.1

encapsulation dot1q 1 native

IP 1.1.1.1 255.255.255.0

G0/0.2

encapsulation dot1q 2

2.2.2.1 IP address 255.255.255.0

G0/0.3

encapsulation dot1q 3

3.3.3.1 IP address 255.255.255.0

Any help\direction is appreciated.

Thank you

Burt

Burt Hello, good evening,

Have you included the VLAN 2 and 3 on the trunk port and ensured that they are labeled? It should be set to tagged. The Web interface can be confusing with this config / operation.

Please check this and let me know, and if necessary I'll lab this for you as well. Please let me know,

Andrew

VLAN ACL M4100

Dear Sir

We want to create an access list to isolate our Wifi network invited all the other vlan.
When I do, diseapper of the other SSID of our laptops.

I applied to the access list to our direction to SVI comments in

! Description of the system "M4100 - 24 G - POE + ProSafe 24 port Gigabit L2 + Managed Switch w ith PoE +, 10.0.2.13, B1.0.1.1"
! Version of the software system "10.0.2.13".
! System Up Time "28 days 22 hours 39 minutes 58 seconds"
! Other packets QOS, IPv6, routing
! Current SNTP synchronized time: SNTP last attempt status is not successful
!
database of VLAN
VLAN 99 200-208 455-456 999
VLAN 99 name 'TEST '.
name of VLAN 200 'Clients '.
name of VLAN 201 "Telefonie.
name of VLAN 202 "guest."
name of VLAN 203 'fr '.
the name of VLAN 204 "TD."
VLAN name 205 "DMZ".
VLAN name 206 'printers '.
VLAN name 207 'media '.
VLAN 208 name 'Wireless '.
VLAN name 999 "3com".
VLAN 1 1 routing
-Other - or ITU (q)
VLAN 200 2 routing
VLAN 201 3 routing
VLAN routing 202 4
VLAN routing 5 203
VLAN routing 204 6
VLAN routing 205 7
VLAN routing 206 8
VLAN routing 9 207
VLAN routing 10 208
VLAN routing 11 455
VLAN routing 12 456
VLAN routing 99 13
output

network mgmt_vlan 203
IP http secure server
Configure
time range
default IP gateway - 10.253.255.1
level of 483f42190380e8780a9d32a3c63d31b86d6ad49b870db8306af86a9ce3e06cd9a39f66e666e86f0aaab777b0ab9fe571908247c31d904463d1a0767400f8e763 user name 'admin' password encrypted 15
level password user name "secit" encrypted 15 912ba98d721224814ea15db6dec1701819e75dfcafa635831e9eab148c105c20ba85dc61882dd47a65eb66dff6cf0005a1a2232b6957ec898cd6187c6bdbb510
line console
output
-Other - or ITU (q)

line telnet
output

ssh line
output

spanning tree bpduguard

!

IP access-list ACL_Wizard_IPv4_0
output

IP access-list Deny_Guest_Intervlan_Routing
deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.1.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.3.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.4.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.5.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.6.0 0.0.0.255
-Other - or ITU (q)
deny ip 10.253.2.0 0.0.0.255 10.253.7.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.8.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.9.0 0.0.0.255
deny ip 10.253.2.0 0.0.0.255 10.253.11.0 0.0.0.255
IP 10.253.2.0 allow 0.0.0.255 0.0.0.0 0.0.0.0
output

class-map correspondence ClassVoiceVLAN ipv4
game of vlan 201
output

Policy-map PolicyVoiceVLAN in
class ClassVoiceVLAN
Assign-queue 3
output

output

interface 0/1
Description "ACCESSPORTS.
participation of VLAN include 200-201
VLAN tagging 201
-Other - or ITU (q)
output

interface 0/2
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 1000000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/3
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201 204
VLAN tagging 201
-Other - or ITU (q)
IP mtu 1500
output

interface 0/4
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/5
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 1000000
pvid VLAN 99
participation of VLAN include 99 200 - 201
-Other - or ITU (q)
VLAN tagging 201
IP mtu 1500
output

interface 0/6
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/7
VLAN 201 votes
policy - PolicyVoiceVLAN
Description "ACCESSPORTS.
pvid VLAN 203
-Other - or ITU (q)
participation of VLAN include 200-201
VLAN tagging 201
output

0/8 interface
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/9
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
-Other - or ITU (q)
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/10
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/11
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
-Other - or ITU (q)
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/12
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/13
VLAN 201 votes
policy - PolicyVoiceVLAN
-Other - or ITU (q)
bandwidth 100000
pvid VLAN 200
VLAN automatic participation 1
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/14
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
VLAN automatic participation 1
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

-Other - or ITU (q)
interface 0/15
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
VLAN automatic participation 1
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/16
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 202
VLAN automatic participation 1
participation of VLAN include 201-202
VLAN tagging 201
IP mtu 1500
output
-Other - or ITU (q)

interface 0/17
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 200
participation of VLAN include 200-201
VLAN tagging 201
IP mtu 1500
output

interface 0/18
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 203
participation of VLAN include 200-201 203
VLAN tagging 201
IP mtu 1500
-Other - or ITU (q)
output

interface 0/19
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 206
VLAN automatic participation 1
participation of VLAN include 201 206
VLAN tagging 201
IP mtu 1500
output

interface 0/20
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 999
participation of VLAN include 200-201 204-207 455-456 999
-Other - or ITU (q)
VLAN tagging 200-201 204-207 455-456
IP mtu 1500
output

interface 0/21
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
pvid VLAN 455
VLAN automatic participation 1
participation of VLAN include 200-204 455-456
VLAN tagging 200-204
IP mtu 1500
output

interface 0/22
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
-Other - or ITU (q)
switchport mode trunk
switchport trunk vlan native 456
pvid VLAN 456
VLAN automatic participation 1
participation of VLAN include 200-204 456
VLAN tagging 200-204
IP mtu 1500
output

interface 0/23
VLAN 201 votes
policy - PolicyVoiceVLAN
bandwidth 100000
switchport mode trunk
switchport trunk vlan native 456
pvid VLAN 456
participation of VLAN include 200-204 456
VLAN tagging 200-204
IP mtu 1500
output

-Other - or ITU (q)

interface 0/24
bandwidth 100000
switchport mode trunk
switchport trunk vlan native 999
pvid VLAN 999
participation of VLAN include 200-208 455-456 999
VLAN tagging 200-207 455-456
IP mtu 1500
output

interface vlan 1
Routing
DHCP IP address
output

interface vlan 200
Routing
-Other - or ITU (q)
IP 10.253.0.1 255.255.255.0
output

interface vlan 201
Routing
IP 10.253.1.1 255.255.255.0
output

interface vlan 202
Routing
IP 10.253.2.1 255.255.255.0
IP access-group Deny_Guest_Intervlan_Routing vlan 202 in
output

interface vlan 203
Routing
IP 10.253.3.1 255.255.255.0
output
-Other - or ITU (q)

interface vlan 204
Routing
IP 10.253.4.1 255.255.255.0
output

interface vlan 205
Routing
IP 10.253.5.1 255.255.255.0
output

interface vlan 206
Routing
IP 10.253.6.1 255.255.255.0
output

-Other - or ITU (q)

interface vlan 207
Routing
IP 10.253.7.1 255.255.255.0
output

interface vlan 208
Routing
IP 10.253.8.1 255.255.255.0
output

interface vlan 455
Routing
IP 10.253.255.2 255.255.255.0
output

interface vlan 456
-Other - or ITU (q)
Routing
IP 10.253.11.1 255.255.255.0
output

interface vlan 99
Routing
IP 10.253.9.1 255.255.255.0
output

IP management vlan 203
dhcp service
pool IP dhcp "Telefonie.
Rental 7 0 0
Server DNS 8.8.8.8 8.8.4.4
router by default - 10.253.1.1
Network 10.253.1.0 255.255.255.0
domain secit.be
b-node NetBIOS node type
output

-Other - or ITU (q)
pool IP dhcp "guest."
Rental 0 12 0
Server DNS 8.8.8.8 8.8.4.4
router by default - 10.253.2.1
Network 10.253.2.0 255.255.255.0
secit domain name - guest.be
b-node NetBIOS node type
output

pool IP dhcp 'media '.
Rental 0 12 0
10.253.3.2 DNS Server 8.8.4.4
router by default - 10.253.7.1
Network 10.253.7.0 255.255.255.0
secit domain name - media.be
b-node NetBIOS node type
output

pool IP dhcp "TD."
Rental 0 14 0
10.253.3.2 DNS Server 8.8.4.4
router by default - 10.253.4.1
Network 10.253.4.0 255.255.255.0
-Other - or ITU (q)
secit domain name - td.be
b-node NetBIOS node type
output

pool IP dhcp "internal."
Rental 7 0 0
10.253.3.2 DNS server
router by default - 10.253.0.1
Network 10.253.0.0 255.255.255.0
domain fixitsolutions.local
b-node NetBIOS node type
output

output

Maybe it's the DHCP packet filtering.

For help, try to add a rule to allow DHCP packets.

Example: (this is obviously NOT the exact rule to filter only the DHCP packets, but just a simple rule for the test)
```
IP access-list Deny_Guest_Intervlan_Routing
  permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
  permit udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 68

  deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255

  IP 10.253.2.0 allow 0.0.0.255 0.0.0.0 0.0.0.0

output
```
If this ACL works (you can get the DHCP address), then you will need to write the ACL right, something like (this is just an example):
```
IP access-list Deny_Guest_Intervlan_Routing
  ! DHCPDISCOVER
  permit udp 0.0.0.0 0.0.0.0 eq 68 255.255.255.255 0.0.0.0 eq 67
  ! DHCPOFFER
  0.0.0.0 eq 67 255.255.255.255 0.0.0.0 eq 68
  ! DHCPINFORM
  permit udp 10.253.2.0 0.0.0.255 eq 68 255.255.255.255 0.0.0.0 eq 67
  ! DHCPACK
  0.0.0.0 eq 68
  permit udp 10.253.2.0 0.0.0.255 eq 67 255.255.255.255 0.0.0.0 eq 68
  ! Internal traffic

  deny ip 10.253.2.0 0.0.0.255 10.253.0.0 0.0.255.255
  ! Internet traffic

  IP 10.253.2.0 allow 0.0.0.255 0.0.0.0 0.0.0.0

output
```

2 VLAN ACL with what Miss me

Thanks for reading.

This topology consists of one 6224 and two 2824 Powerconnect switches.

Right now, we're looking to build two VLANs, routed, sharing a small range of IPs on VLAN 20.

Also want to route out to the interwebz for both nets. Do I need a third vlan for that?

 Presumably one for each actual route out I would think.

I've entered the following commands into the 6224.

- -

confvlan databasevlan 10vlan 20exitinterface vlan 10ip address 192.168.1.1 /24ip access-group 'BUSINESS'name SALESroutingexitinterface vlan 20ip address 172.16.1.1 /24ip access-goup 'SALES'name BUSINESSroutingexitip access-list SALES permit ip 192.168.1.0 0.0.0.255 anyip access-list SALES permit ip 172.16.1.0 0.0.0.255 anyip access-list BUSINESS permit ip  172.16.1.204 0.0.0.7 anyip access-list BUSINESS permit ip 192.168.1.0 0.0.0.255 anyinterface range 1/g9-1/g16 ---these are untagged in both Vlan 1 and vlan 10switchport mode access each has a PVID of 1 in both Vlans??switchport access vlan 10exitinterface range 1/g17-1/g24 ---these are untagged in vlan 20switchport mode access PVID of 1 or 20 neither changes anythingswitchport access vlan 20exitip routing

- -

From VLAN 10 on the 6224 , all addresses in VLAN 10 and 20 can be pinged.

From VLAN 20 on the 6224 all addresses in VLAN 10 and 20 can be pinged,

2824-1 is connected via its port 24, (a member of vlan 20 in switchport mode access)

to port 24 on the 6224.

Port 1/g23 on 2824-1 is connected to a host at 172.16.1.240. that host can  ping nothing

beyond 172.16.1.1. But if I plug both the switch uplink and the host to a Cisco 3524xl in factory defaul

I can ping everyhthing on the 172.16.1.0 /24 subnet right across the uplink. I'd like to at the least

get help on what the issue is with the pings from the 2824.

The ACLs aren't actually in play but they are intended as part of the config.

thanks in advance for your help.

I think you're on the right track, leave the configuring ACLs for now. Once we have connectivity, then add them in.

With the connections between the two switches, we use mode Trunk/general instead of the access mode.

If the 6224 performs the Routing and connects to your external connection. While the connection must have its own dedicated VLAN. The 6224 also has a static route in place, helping to direct traffic on.

Here's a post with some info to look over.

en.Community.Dell.com/.../19506015.aspx

Keep us updated.

Thank you

Inter-Vlan ACL

Similar Questions

Maybe you are looking for